Internal Audit Report. BOCC Utilities

Size: px

Start display at page:

Download "Internal Audit Report. BOCC Utilities"

Alaina Greene
5 years ago
Views:

1 Internal Audit Report BOCC Utilities Report Number: Date: October 17, 2018

To: The Honorable Linda Doggett, Lee County Clerk of the Circuit Court & Comptroller From: Tim Parks, Chief Internal Audit Officer/Inspector General Date: October 17, 2018 Re: Dear Ms.

2 To: The Honorable Linda Doggett, Lee County Clerk of the Circuit Court & Comptroller From: Tim Parks, Chief Internal Audit Officer/Inspector General Date: October 17, 2018 Re: Dear Ms. Doggett, The Inspector General Department has completed an audit of BOCC Utilities. Mabel Febles, CIGA, conducted this review. This audit activity conforms to the Institute of Internal Auditor s (IIA) International Standards for the Professional Practice of Internal Auditing (Red Book) and the Association of Inspectors General (AIG) Principles and Standards for Offices of Inspector General (Green Book). The audit client s response is attached to this report. We wish to express our appreciation for the cooperation and assistance provided us by management and staff during this review. This report will be posted to the Clerk of Courts website, under Inspector General, Audit Reports. A link to this report has been sent to the Lee County Board of County Commissioners and appropriate parties. Should you have any questions, please do not hesitate to contact me. Sincerely, Tim Parks, Chief Internal Audit Officer/Inspector General Inspector General Department TJP/GK

3 Table of Contents Executive Summary... 1 Background... 2 Objective, Scope, and Methodology... 3 Observations and Recommendations... 4

4 Executive Summary The Lee County Clerk of Circuit Court & Comptroller s (LCCC) 2017 Annual Audit Plan included an audit of Lee County Utilities (LCU). The audit objective was to determine if effective internal controls are in place, to evaluate the effectiveness and efficiency of the Customer Services Office (CSO), and to determine compliance with applicable laws, regulations, policies and procedures. CSO s risk factors were identified in a risk assessment questionnaire that was completed by department management. An entrance conference was held with management to discuss the results, confirm the audit s objective and scope, and to solicit current information regarding risks. A variety of tests were performed which included review, analysis, or reconciliation of: CSO s customer service system (ecis+) billing process and the effectiveness of its controls Monthly accounts receivable and security deposit totals between the ecis+ system and the financial system (E1) CSO s identity theft prevention program and sensitive personal information management Daily cash receipt and billing transactions between ecis+, bank statements, and E1 The credit refund process and related transactions The rates charged on billing statements Job related training Our conclusion is that CSO employees are performing their duties in a satisfactory manner. They appear to be adequately and appropriately trained to perform the required tasks. We offer recommendations to add value and enhance the efficiency and effectiveness of CSO s processes and controls. CSO internal controls related to the processing of credit refunds are adequate. However, there are opportunities to increase effectiveness by requiring next level supervisory review and approval of transactions. Examples: 1

5 A report designed to identify transactions that need review and correction was overlooked, and that resulted in an adjustment not being posted. CSO has subsequently updated procedures to require a supervisory review of the report. The credit refund report that includes the pending list of customer refunds did not require a secondary review. Since data can be added or deleted from the list, an incorrect payment could be issued. The department s procedures were subsequently updated to require a secondary review. Even though there are controls in place that limit the dollar amount of fees that can be entered, any fee can be waived or reversed without a supervisor s approval. Current controls for the prevention of identity theft and the management of customer personal information were reviewed, and instances were identified in which the office could benefit by strengthening its internal controls. We recommend: The mandatory Identity Theft Prevention Program be periodically reviewed and updated Cashier computer screens be shielded from view by customers standing at the next cashier s window. Periodic personnel training including skimming prevention methods related to the physical security of payment devices. Background According to Lee County s website: Lee County Utilities is a division of the newly formed Department of Public Utilities, which also includes the Lee County Division of Solid Waste. There are significant parallels in operating practices that can be efficiently provided through shared resources. The Department of Public Utilities is committed to responding quickly to our customers' concerns and providing them with reliable drinking water and sewer service. LCU is committed to: Providing reliable drinking water and wastewater service Protecting the environment and ensuring regulatory compliance Responding quickly to customers' concerns Achieving financial sustainability by building upon long-term assets Employing safe business practices to measure and manage risk, optimize life-cycle costs and prioritize capital and Operations and Maintenance decisions 2

6 As of August 2, 2018, CSO posted approximately $88.4 million in revenue. CSO is separated into the Billing, Cashiering, Call Center, Collections, and Back Office sections. Billing manages the billing statements. The statements are automatically generated by the billing system. On average, 84,493 billing statements were mailed out monthly. CSO maintained a monthly average of 83,860 active accounts. The office collects revenue through different methods that include a lockbox, a drop box, ACH/electronic funds transfers, pay-by-phone automated line, online, mobile app, walk-in, and customer s online banking. Some of the tasks conducted by the office include managing: The daily reviews and corrections required before billing statements are mailed out Requests when high usage, misreads, or potential leaks at the meter have been discovered Any adjustments, credits, or charges that need to be added to customer accounts Customer inquiries received through the call center The collection process for past due accounts Daily cash receipt transactions and reconciliations Monthly accounts receivable and sales journal reconciliations CSO is in the preliminary stages of starting a lien process for recently closed accounts in which a pending balance exists, and the account holder is listed as a prior property owner, as well as for active sewer only accounts. Objective, Scope, and Methodology The audit objective was to determine if effective internal controls are in place, to evaluate the effectiveness and efficiency of CSO, and to determine compliance with applicable laws, regulations, policies and procedures. The audit scope included the: Accuracy of daily cash receipts and billing transactions between CSO's software system (ecis+), bank statements, and the reporting financial system (E1) Accuracy of monthly accounts receivable and customer security deposit totals between ecis+ and E1 Effectiveness of current controls pertaining to the ecis+ billing process Effectiveness of the credit refund process and transactions Effectiveness and compliance related to the identity theft prevention program and management of sensitive personal information Accuracy of rates in the billing statements 3

7 Sufficiency of supporting documentation Completion of job related training The audit methodology is comprised of four steps: Preliminary Risk Assessment: A meeting was held with management to discuss the audit objective and scope and to solicit information regarding risks. Planning: Audit procedures were developed based upon research, audit objective, scope, and the preliminary meeting. Field Work: Managers and employees were interviewed for insight on the operations. Evaluations and tests were conducted on operations and procedures to address and complete the audit fieldwork. Wrap-up: An Exit conference was held with management to discuss the audit results. Observations and Recommendations Next Level Supervisory Approval The credit balance refund process was reviewed. It was noted that a transaction from the "Credit Refund Account Error Log" report was unresolved, resulting in an unposted adjustment. This report identifies pending transactions that if not investigated, could lead to a charge or credit not being posted. The department's procedures were subsequently updated to require a supervisory review of the report. It was observed that the "S Drive Report" was prepared, reviewed, and approved by one person. The report includes all requested refunds. Data can be added or deleted from the list, and if a secondary review is not conducted, incorrect refund payments could be issued. The department's procedures were updated to include additional review. There were limit controls in place consisting of different dollar amounts, depending on the employee s position. Secondary reviews for reversing or waiving fees were not required. Supervisory review and approval of specific transactions may prevent errors and act as a deterrent to intentional abuse. Recommendation We recommend that controls towards the Credit Balance Refund process and the waiving or reversal of specific fees be tightened by requiring next level supervisory review and approval. 4

8 Customer Service's Identity Theft Protection The Federal Trade Commission (FTC) enforces the Red Flags Rule which requires businesses and organizations to implement a written identity theft prevention program. We reviewed CSO s written program and noticed that it hadn't been reviewed or updated since According to CSO, annual group meetings are held, and the last group meeting occurred in February The meeting included a limited discussion concerning identity theft prevention. It was observed that data from the cashier screens was visible by individuals standing at the next cashier s window. Recommendation We recommend that: The Identity Theft Prevention Program be reviewed and periodically updated to reflect current best practices Make the Cashier computer screens less visible to customers standing at the next cashier s window. Periodic personnel training including skimming prevention methods related to the physical security of payment devices. 5